[netfilter-cvslog] r6795 - trunk/conntrack-tools
pablo at netfilter.org
pablo at netfilter.org
Tue Apr 17 01:05:09 CEST 2007
Author: pablo at netfilter.org
Date: 2007-04-17 01:05:09 +0200 (Tue, 17 Apr 2007)
New Revision: 6795
Removed:
trunk/conntrack-tools/CHANGELOG
Modified:
trunk/conntrack-tools/ChangeLog
trunk/conntrack-tools/INSTALL
trunk/conntrack-tools/Makefile.am
Log:
- Merge conntrack and conntrackd changelogs, even if it will be dropped from SVN soon.
- Update INSTALL documentation
Deleted: trunk/conntrack-tools/CHANGELOG
===================================================================
--- trunk/conntrack-tools/CHANGELOG 2007-04-16 19:13:17 UTC (rev 6794)
+++ trunk/conntrack-tools/CHANGELOG 2007-04-16 23:05:09 UTC (rev 6795)
@@ -1,184 +0,0 @@
-version 0.9.3 (yet unreleased)
-------------------------------
-o fix commit of confirmed expectations (reported by Nishit Shah)
-o fix double increment of counters in cache_update_force() (Niko Tyni)
-o nl_dump_handler must return NFCT_CB_CONTINUE (Niko Tyni)
-o initialize buffer in nl_event_handler() and nl_dump_handler() (Niko Tyni)
-o CacheCommit value can be set via conntrackd.conf for the NACK approach
-o fix leaks in the hashtable/cache flush path (Niko Tyni)
-o fix leak if a connection already exists in the cache (Niko Tyni)
-o introduce a new header that encapsulates netlink messages
-o remove all '_entry' tail from all functions in cache.c
-o split cache.c: move cache iterators to file cache_iterators.c
-o fix inconsistencies in the cache API related to counters
-o cleanup 'usage' message
-o fix typo in examples/sync/nack/node1/conntrackd.conf
-o introduce message checksumming as described in RFC1071 (enabled by default)
-o major cleanups in the synchronization code
-o just warn once that the maximum netlink socket buffer has been reached
-o fix ignore conntrack entries by IP and introduce ignore pool abstraction layer
-o introduce netlink socket buffer overrun handler
-o constification of hash, compare and hashtable_test functions in hash.c
-o introduce ACKnowledgement mechanisms to reduce the size of the resend queue
-o remove OK messages at startup since provide useless data
-o fix compilation warning in mcast.c: recvfrom takes socklen_t not size_t
-o add a lock per buffer: makes buffer code thread safe
-o introduce 'Replicate' clause to explicitely set states to be replicated
-o kill cache feature abuse: introduce nicer cache hooks for sync algorithms
-o fix oversized buffer allocated in the stack in the cache functions
-o add support to dump internal/external cache in XML format '-x'
-
-version 0.9.2 (2006/01/17)
---------------------------
-o remove spamming packet lost messages
-o generalize network netlink sequence tracking
-o fix bogus error message on resync `-R'
-o fix endianess issues in the network netlink message
-o introduce generic netlink multicast primitives to send and receive
-o fix bogus replayed multicast message due to sequence numbering wraparound
-o introduce counter for malformed netlink messages received
-o introduce a new syntax for the `Sync' section in the configuration file
-o several cleanups and remove unused variables
-o add autostuff to include examples in the tarball (reported by Victor Lozano)
-o use the new API available in libnetfilter_conntrack-0.0.50
-o implement a NACK based protocol for replication
-
-version 0.9.1 (2006/11/06)
---------------------------
-o conntrackd requires kernel >= 2.6.18
-o remove bogus TIMERS_MODE constant
-o implement bulk mode '-B': first works to address the preemption issue
-o fix minor reduction conflicts in the configfile grammar
-o check for CAP_NET_ADMIN instead of requiring root privileges
-o check that linux/capability.h exists
-o fix formatting at dump statistics '-s'
-o move dump traffic stats before multicast traffic stats
-o move event and dump handler to a generic infrastructure: kill events.c file
-o kill unused function inc_ct_stats
-o kill file resync.h
-o cleanup broadcast_sync: renamed to mcast_send_sync
-o sed 's/perror/debug/g' local.c
-o fix bogus increment of update_fail stats at dump stage
-o display descriptive error if we can't connect to conntrackd via UNIX socket
-o remove debugging message from alarm.c
-o move dump_mcast_stats to mcast.c where it really belongs
-o rename stats.c to traffic_stats.c
-o check for replayed/lost multicast message: simple seq tracking w/o recovery
-o reissue nfnl_catch on ENOENT error: a message for other subsystem
-o remove test/ directory in tree
-o improve cache commit stats
-o kill last_commit and last_flush from cache statistics: use the logfile
-o recover cache naming for dump stats `-s'
-o display multicast sequence tracking statistics: packets lost and replayed
-o zero ct_sync_state and ct_stats_state structures after allocation
-o improve keepalived scripts:
- - resync with conntrack table on transition to master
- - send bulk on transition to backup
-o implement alarm cascade of ten levels
-o implement timer cache flavour: limited life of entries in the external cache
-o implement a global lock that protects operation with conntrack entries
-o remove debug checking in cache_del_entry
-o set a reduced timeout for committed entries: 180 seconds by default
-o update comments on the sync-mode code
-o introduce delay destroy messages facility
-o increase timer for external states from 60 to 180 seconds
-o remove unused replicate/dont_replicated constants
-o fix cache entry clashing issue (reported by Maik Hentsche)
-o fix bogus increment of error stats in the external cache
-o remove pollution generated by `[REQ] cache dump' message from logfile
-
-version 0.9.0 (2006/09/17)
---------------------------
-o implement initial for IPv6 (untested)
-o implement generic extensible cache: kill the internal and external caches
-o implement persistence cache feature
-o implement lifetime cache feature
-o modify UNIX facilities identification numbers:
- separate master conntrack facilities and internal plugin facilities
-o break backward compatibility of configuration file:
- remove IgnoreLoopback, use IgnoreTrafficFor instead
- remove IgnoreMulticastTraffic, use IgnoreTrafficFor instead
-o merge event/event_subsys and sync/sync_subsys initialization to run.c
-o improve control of the iteration process in the hashtables
-o fix wrong locking in the alarm thread
-o supersede AcceptNAT by StripNAT clause
-o replace ignore traffic array by a hashtable
-o move lockfile checking before daemonization
-o on initialization error give a descriptive error
-o introduce netlink socket size grown limitator
-o introduce force resync with master conntrack table facility '-R'
-o ignore SIGPIPE signal
-o kill post_step since it is not used anymore
-
-version 0.8.3 (2006/09/03)
---------------------------
-Author: Maik Hentsche <maik mm-double net>
-
-o Fix typo in conntrackd -h
-o Disable debugging messages by default
-o No signals while signals handlings
-o Add extra checkings at forking
-o Check maximum size for file passed via -C
-
-Author: Pablo Neira Ayuso <pablo netfilter org>
-
-o retry select() if EINTR is returned (Reported by Maik Hentsche)
-o Fix bug in slist_for_each_entry (Reported by Maik Hetsche)
-o Signal handler registration done after intialization
-o Implement alarm thread (based on Maik Hentsche's patch)
-o Fix segfault on conntrackd -k (Reported by Maik Hentsche)
-o Fix bug on alarm removal (Reported by Maik Hentsche)
-o configure stops if bison, flex or yacc are not installed
-
-version 0.8.2 (2006/07/05)
---------------------------
-o RelaxTransitions clause introduced in Sync mode
-o multicast messages sequence tracking
-o SocketBufferSize clause to set up the netlink socket buffer
-o use new libnfnetlink API to solve limitations of nfnl_listen
-o extra sanity checkings for netlink multicast messages
-o improve statistics
-o tons of cleanups 8)
-
-version 0.8.1 (2006/06/13)
---------------------------
-o -f now just flushes the internal and external caches
-o -F flushes the master conntrack table
-o fix segfault under heavy load and signal received
-o added -S mode for statistics: still needs more thinking
-
-version 0.8.0 (2006/06/11)
---------------------------
-o more work to generalize the daemon: now it's ready to implement
-modular support for adaptive timers and conntrack statistics, time
-to implement them ;). This is *still* a work in progress.
-
-version 0.7.2 (2006/06/05)
---------------------------
-o stupid bug in normal and alarm caches initialization: flush unset
-o fix racy signal handling
-
-version 0.7.1 (2006/06/05)
---------------------------
-o Bugfix for multicast sockets communication
-
-version 0.7 (2006/06/01)
-------------------------
-o Major code re-structuration: internal and external cache abstraction
-o sequence tracking for event messages
-o expect more changes, I still dislike some stuff in its current status ;)
-
-version 0.6 (2006/05/31)
-------------------------
-o Lock file support
-o use new API nfct_conntrack_event_raw
-o major code clean ups
-
-version 0.5 (2006/05/30)
--------------------------
-o Fix multicast server binds to wrong interface
-o Include clause `IgnoreProtocol', deprecates IgnoreUDP and IgnoreICMP
-
-version 0.4 (2006/05/29)
-------------------------
-o Initial release
Modified: trunk/conntrack-tools/ChangeLog
===================================================================
--- trunk/conntrack-tools/ChangeLog 2007-04-16 19:13:17 UTC (rev 6794)
+++ trunk/conntrack-tools/ChangeLog 2007-04-16 23:05:09 UTC (rev 6795)
@@ -1,3 +1,191 @@
+version 0.9.3 (yet unreleased)
+------------------------------
+o fix commit of confirmed expectations (reported by Nishit Shah)
+o fix double increment of counters in cache_update_force() (Niko Tyni)
+o nl_dump_handler must return NFCT_CB_CONTINUE (Niko Tyni)
+o initialize buffer in nl_event_handler() and nl_dump_handler() (Niko Tyni)
+o CacheCommit value can be set via conntrackd.conf for the NACK approach
+o fix leaks in the hashtable/cache flush path (Niko Tyni)
+o fix leak if a connection already exists in the cache (Niko Tyni)
+o introduce a new header that encapsulates netlink messages
+o remove all '_entry' tail from all functions in cache.c
+o split cache.c: move cache iterators to file cache_iterators.c
+o fix inconsistencies in the cache API related to counters
+o cleanup 'usage' message
+o fix typo in examples/sync/nack/node1/conntrackd.conf
+o introduce message checksumming as described in RFC1071 (enabled by default)
+o major cleanups in the synchronization code
+o just warn once that the maximum netlink socket buffer has been reached
+o fix ignore conntrack entries by IP and introduce ignore pool abstraction layer
+o introduce netlink socket buffer overrun handler
+o constification of hash, compare and hashtable_test functions in hash.c
+o introduce ACKnowledgement mechanisms to reduce the size of the resend queue
+o remove OK messages at startup since provide useless data
+o fix compilation warning in mcast.c: recvfrom takes socklen_t not size_t
+o add a lock per buffer: makes buffer code thread safe
+o introduce 'Replicate' clause to explicitely set states to be replicated
+o kill cache feature abuse: introduce nicer cache hooks for sync algorithms
+o fix oversized buffer allocated in the stack in the cache functions
+o add support to dump internal/external cache in XML format '-x'
+
+version 0.9.2 (2006/01/17)
+--------------------------
+o remove spamming packet lost messages
+o generalize network netlink sequence tracking
+o fix bogus error message on resync `-R'
+o fix endianess issues in the network netlink message
+o introduce generic netlink multicast primitives to send and receive
+o fix bogus replayed multicast message due to sequence numbering wraparound
+o introduce counter for malformed netlink messages received
+o introduce a new syntax for the `Sync' section in the configuration file
+o several cleanups and remove unused variables
+o add autostuff to include examples in the tarball (reported by Victor Lozano)
+o use the new API available in libnetfilter_conntrack-0.0.50
+o implement a NACK based protocol for replication
+
+version 0.9.1 (2006/11/06)
+--------------------------
+o conntrackd requires kernel >= 2.6.18
+o remove bogus TIMERS_MODE constant
+o implement bulk mode '-B': first works to address the preemption issue
+o fix minor reduction conflicts in the configfile grammar
+o check for CAP_NET_ADMIN instead of requiring root privileges
+o check that linux/capability.h exists
+o fix formatting at dump statistics '-s'
+o move dump traffic stats before multicast traffic stats
+o move event and dump handler to a generic infrastructure: kill events.c file
+o kill unused function inc_ct_stats
+o kill file resync.h
+o cleanup broadcast_sync: renamed to mcast_send_sync
+o sed 's/perror/debug/g' local.c
+o fix bogus increment of update_fail stats at dump stage
+o display descriptive error if we can't connect to conntrackd via UNIX socket
+o remove debugging message from alarm.c
+o move dump_mcast_stats to mcast.c where it really belongs
+o rename stats.c to traffic_stats.c
+o check for replayed/lost multicast message: simple seq tracking w/o recovery
+o reissue nfnl_catch on ENOENT error: a message for other subsystem
+o remove test/ directory in tree
+o improve cache commit stats
+o kill last_commit and last_flush from cache statistics: use the logfile
+o recover cache naming for dump stats `-s'
+o display multicast sequence tracking statistics: packets lost and replayed
+o zero ct_sync_state and ct_stats_state structures after allocation
+o improve keepalived scripts:
+ - resync with conntrack table on transition to master
+ - send bulk on transition to backup
+o implement alarm cascade of ten levels
+o implement timer cache flavour: limited life of entries in the external cache
+o implement a global lock that protects operation with conntrack entries
+o remove debug checking in cache_del_entry
+o set a reduced timeout for committed entries: 180 seconds by default
+o update comments on the sync-mode code
+o introduce delay destroy messages facility
+o increase timer for external states from 60 to 180 seconds
+o remove unused replicate/dont_replicated constants
+o fix cache entry clashing issue (reported by Maik Hentsche)
+o fix bogus increment of error stats in the external cache
+o remove pollution generated by `[REQ] cache dump' message from logfile
+
+version 0.9.0 (2006/09/17)
+--------------------------
+o implement initial for IPv6 (untested)
+o implement generic extensible cache: kill the internal and external caches
+o implement persistence cache feature
+o implement lifetime cache feature
+o modify UNIX facilities identification numbers:
+ separate master conntrack facilities and internal plugin facilities
+o break backward compatibility of configuration file:
+ remove IgnoreLoopback, use IgnoreTrafficFor instead
+ remove IgnoreMulticastTraffic, use IgnoreTrafficFor instead
+o merge event/event_subsys and sync/sync_subsys initialization to run.c
+o improve control of the iteration process in the hashtables
+o fix wrong locking in the alarm thread
+o supersede AcceptNAT by StripNAT clause
+o replace ignore traffic array by a hashtable
+o move lockfile checking before daemonization
+o on initialization error give a descriptive error
+o introduce netlink socket size grown limitator
+o introduce force resync with master conntrack table facility '-R'
+o ignore SIGPIPE signal
+o kill post_step since it is not used anymore
+
+version 0.8.3 (2006/09/03)
+--------------------------
+Author: Maik Hentsche <maik mm-double net>
+
+o Fix typo in conntrackd -h
+o Disable debugging messages by default
+o No signals while signals handlings
+o Add extra checkings at forking
+o Check maximum size for file passed via -C
+
+Author: Pablo Neira Ayuso <pablo netfilter org>
+
+o retry select() if EINTR is returned (Reported by Maik Hentsche)
+o Fix bug in slist_for_each_entry (Reported by Maik Hetsche)
+o Signal handler registration done after intialization
+o Implement alarm thread (based on Maik Hentsche's patch)
+o Fix segfault on conntrackd -k (Reported by Maik Hentsche)
+o Fix bug on alarm removal (Reported by Maik Hentsche)
+o configure stops if bison, flex or yacc are not installed
+
+version 0.8.2 (2006/07/05)
+--------------------------
+o RelaxTransitions clause introduced in Sync mode
+o multicast messages sequence tracking
+o SocketBufferSize clause to set up the netlink socket buffer
+o use new libnfnetlink API to solve limitations of nfnl_listen
+o extra sanity checkings for netlink multicast messages
+o improve statistics
+o tons of cleanups 8)
+
+version 0.8.1 (2006/06/13)
+--------------------------
+o -f now just flushes the internal and external caches
+o -F flushes the master conntrack table
+o fix segfault under heavy load and signal received
+o added -S mode for statistics: still needs more thinking
+
+version 0.8.0 (2006/06/11)
+--------------------------
+o more work to generalize the daemon: now it's ready to implement
+modular support for adaptive timers and conntrack statistics, time
+to implement them ;). This is *still* a work in progress.
+
+version 0.7.2 (2006/06/05)
+--------------------------
+o stupid bug in normal and alarm caches initialization: flush unset
+o fix racy signal handling
+
+version 0.7.1 (2006/06/05)
+--------------------------
+o Bugfix for multicast sockets communication
+
+version 0.7 (2006/06/01)
+------------------------
+o Major code re-structuration: internal and external cache abstraction
+o sequence tracking for event messages
+o expect more changes, I still dislike some stuff in its current status ;)
+
+version 0.6 (2006/05/31)
+------------------------
+o Lock file support
+o use new API nfct_conntrack_event_raw
+o major code clean ups
+
+version 0.5 (2006/05/30)
+-------------------------
+o Fix multicast server binds to wrong interface
+o Include clause `IgnoreProtocol', deprecates IgnoreUDP and IgnoreICMP
+
+version 0.4 (2006/05/29)
+------------------------
+o Initial release
+
+conntrack changelog
+===================
+
2006-03-20
<hidden at sch.bme.hu>
o fix ICMP protocol extension parse callback
Modified: trunk/conntrack-tools/INSTALL
===================================================================
--- trunk/conntrack-tools/INSTALL 2007-04-16 19:13:17 UTC (rev 6794)
+++ trunk/conntrack-tools/INSTALL 2007-04-16 23:05:09 UTC (rev 6795)
@@ -1,53 +1,68 @@
-Copyright (C) 2006-2007 Pablo Neira Ayuso <pablo netfilter org>
+Copyright (C) 2005-2007 Pablo Neira Ayuso <pablo netfilter org>
-1.Basic Installation
-====================
+0.Introduction
+==============
- To compile and install 'conntrackd' just follow the classical steps:
+ The conntrack-tools package contains two programs:
- $ ./configure
- $ make
- # make install
- # mkdir /etc/conntrackd/
+ - conntrack: the command line interface to interact with the connection
+ tracking system.
-2.1. Synchronization Mode
-=========================
+ - conntrackd: the connection tracking userspace daemon that can be used to
+ deploy highly available GNU/Linux firewalls and collect
+ statistics of the firewall use.
- Conntrackd can replicate the status of the connections that are currently
- being processed by your stateful firewall based on Linux. This section
- describes how to setup the daemon in synchronization mode:
+1. Requirements
+===============
-2.1.1. Requirements
+ You have to install the following software in order to get the conntrack-tools
+ working, make sure that you have installed them correctly before going forward:
- You have to install the following software in order to get conntrackd working,
- make sure that you have installed them correctly before going forward:
-
o linux kernel version >= 2.6.18 (http://www.kernel.org) with support for:
- connection tracking system (quite obvious ;)
- nfnetlink
- ctnetlink (ip_conntrack_netlink)
- connection tracking event notification API
- o libnfnetlink: the netfilter netlink library
+ o libnfnetlink: the netfilter netlink library available at:
- Since conntrackd version 0.9.2 you can used the official release availble at
- http://www.netfilter.org/projects/libnfnetlink/files/
+ <http://www.netfilter.org/projects/libnfnetlink/files/>
- Up to conntrackd version 0.9.1 use the unofficial release available at the
- download section
+ o libnetfilter_conntrack: the netfilter conntrack library available at:
- o libnetfilter_conntrack: the netfilter conntrack library
+ <http://www.netfilter.org/projects/libnetfilter_conntrack/files/>
- Since conntrackd version 0.9.2 you can used the official release availble at
- http://www.netfilter.org/projects/libnetfilter_conntrack/files/
+2.Basic Installation
+====================
- Up to conntrackd version 0.9.1 use the unnoficial release available at the
- download section
+ To compile and install conntrack-tools just follow the classical steps:
+ $ ./configure
+ $ make
+ # make install
+
+ Up to this point, the command line interface `conntrack' is ready for use.
+ However, the userspace daemon so-called `conntrackd' requires some magic
+ speells to get it working.
+
+3.Setting up conntrackd
+=======================
+
+ conntrackd currently have two working modes: statistics and synchronization
+ modes, both details here below.
+
+3.1. Synchronization Mode
+=========================
+
+ Conntrackd can replicate the status of the connections that are currently
+ being processed by your stateful firewall based on Linux. This section
+ describes how to setup the daemon in synchronization mode:
+
+
o Keepalived version 1.x (http://www.keepalived.org)
check if your distribution comes with a recent version
-2.1.2. Configuration
+3.1.2. Configuration
1) Setting up keepalived
@@ -142,7 +157,7 @@
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
-2.2. Statistics mode
+3.2. Statistics mode
====================
Conntrackd can also run as statistics daemon, if you are not interested in
@@ -150,41 +165,19 @@
synchronization mode working. This section details how to setup the daemon
in statistics mode:
-2.2.1. Requirements
+3.2.1. Requirements
- You have to install the following software in order to get conntrackd working,
- make sure that you have them installed correctly before going forward:
+ No extra requirements to set up the statistics mode apart from those detailed
+ in section 1.
- o linux kernel version >= 2.6.18 (http://www.kernel.org) with support for:
- - connection tracking system
- - nfnetlink
- - ctnetlink (ip_conntrack_netlink)
- - connection tracking event notification API
+3.2.2. Configuration
- o libnfnetlink: the netfilter netlink library
-
- Since conntrackd version 0.9.2 you can used the official release availble at
- http://www.netfilter.org/projects/libnfnetlink/files/
-
- Up to conntrackd version 0.9.1 use the unofficial release available at the
- download section
-
- o libnetfilter_conntrack: the netfilter conntrack library
-
- Since conntrackd version 0.9.2 you can used the official release availble at
- http://www.netfilter.org/projects/libnetfilter_conntrack/files/
-
- Up to conntrackd version 0.9.1 use the unnoficial release available at the
- download section
-
-2.2.2. Configuration
-
Setting up conntrackd in statistics mode is rather easy. Just copy the
configuration file
# cp examples/stats/conntrackd.conf /etc/conntrackd.conf
-2.2.3. Running conntrackd in statistics mode
+3.2.3. Running conntrackd in statistics mode
To run conntrackd in statistics mode:
Modified: trunk/conntrack-tools/Makefile.am
===================================================================
--- trunk/conntrack-tools/Makefile.am 2007-04-16 19:13:17 UTC (rev 6794)
+++ trunk/conntrack-tools/Makefile.am 2007-04-16 23:05:09 UTC (rev 6795)
@@ -6,7 +6,7 @@
# man_MANS = ""
# EXTRA_DIST = $(man_MANS) Make_global.am debian
-EXTRA_DIST = Make_global.am CHANGELOG TODO
+EXTRA_DIST = Make_global.am ChangeLog TODO
SUBDIRS = src extensions
DIST_SUBDIRS = include src extensions examples
More information about the netfilter-cvslog
mailing list